- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an alert_actions.conf being ignored
I have an alert_actions.conf file that is pushed out to our search heads via deployment server. All of the settings (hostname, mailserver, from) are being ignored when in the app context. If I move the same file into $SPLUNK_HOME/etc/system/local, everything works.
I ran "splunk cmd btool alert_actions list" and the output is identical no matter where I put alert_actions.conf. In both cases, it looks like the settings are correct.
Any ideas on why this doesn't work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Add a local.meta file to "alertactionappname/metadata" with the following stanza:
[]
export = system
this will do the job and solve the problem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Still good after all these years
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to do SHC rolling restart, you can also put in default.meta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Antonio (my splunk homey) went through this - the answer is in precedence and I don't think it's a bug.
See
docs.splunk.com/Documentation/Splunk/6.0.1/admin/Wheretofindtheconfigurationfiles
alert_actions.conf is effective at app/user scope - not global.
if you deliver alert_actions.conf to an instance in an app ON ITS OWN - it will have no effect.
If you deliver it into an app which has search configurations (where you are generating reports you wish to email) - it works exactly as defined.
The access URL tells you which scope you're in. I have put an alert_actions.conf in
$SPLUNK_HOME/etc/apps/dbx/local.
I can configure it from the GUI if I want from this url:
h-t-t-p://instance:8000/en-US/manager/dbx/admin/alert_actions/email?action=edit
If I want to email searches from within the search app - I must place the file in
$SPLUNK_HOME/etc/apps/search/local
and i configure it from the gui using this URL:
h-t-t-p://instance:8000/en-US/manager/search/admin/alert_actions/email?action=edit
Its scope of effect is 'app/user', not global.
A user can provide his own alert_actions.conf - but again, it's in the userdir for a specific app, not for all apps.
Gavs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Any thoughts on if it can be made global using an export = system in the default.meta of a custom app?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is highly unlikely splunk changed the precedence rules for that file between releases. Antonio tested it on 5.* and saw the same behaviour...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


That may be for 6*, but is it different for 5*?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

SPL-55476 was never validated and it is not a valid bug.
I have it working on 5.0.5, splunk is connecting to mailserver indicated below
ON DS
/opt/SPLUNK/5.0.5-DS/splunk $ cat etc/deployment-apps/testDeployApp/local/alert_actions.conf
[email]
auth_password = $1$d2gP+53E8tz
auth_username = myemail@mailprovider.com
mailserver = smtp.mailprovider.com:2500
reportServerURL =
from = myemail@mailprovider.com
ON DC
/opt/SPLUNK/5.0.5-DC/splunk/bin $ ./splunk btool alert_actions list email --debug | egrep -o 'alert_action.*' | egrep -v command
alert_actions.conf [email]
alert_actions.conf auth_password = $1$ndCtP+qYE8tz
alert_actions.conf auth_username = myemail@mailprovider.com
alert_actions.conf bcc =
alert_actions.conf cc =
alert_actions.conf format = html
alert_actions.conf from = myemail@mailprovider.com
alert_actions.conf hostname =
alert_actions.conf inline = 0
alert_actions.conf mailserver = smtp.mailprovider.com:2500
alert_actions.conf maxresults = 10000
alert_actions.conf maxtime = 5m
alert_actions.conf pdfview =
alert_actions.conf preprocess_results =
alert_actions.conf reportCIDFontList = gb cns jp kor
alert_actions.conf reportIncludeSplunkLogo = 1
alert_actions.conf reportPaperOrientation = portrait
alert_actions.conf reportPaperSize = letter
alert_actions.conf reportServerEnabled = false
alert_actions.conf reportServerURL =
alert_actions.conf sendpdf = 0
alert_actions.conf sendresults = 0
alert_actions.conf subject = Splunk Alert: $name$
alert_actions.conf to =
alert_actions.conf track_alert = 1
alert_actions.conf ttl = 86400
alert_actions.conf use_ssl = 0
alert_actions.conf use_tls = 0
alert_actions.conf width_sort_columns = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddeighton,
I found the same exact issue on my Splunk Server. This seems to be a bug with Splunk where the Splunk Search Head only recognizes alert_actions.conf in the local (/opt/splunk/etc/system/local) config directory.
Submitted a bug report.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


I don't see SPL-55476 listed on docs.splunk.com. Has this been listed as a known issue or fixed? http://docs.splunk.com/Special:SplunkSearch/docs?q=SPL-55476
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Splunk bug SPL-55476 was created to address this issue. Thanks everyone that continues to reference this answer post.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support Case # 84640 for this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ddeighton it might be an idea for you to also file a bug report just so Splunk are aware it is aflicting more than one user, also they may find multiple data sources on the bug helpful -> https://www.splunk.com/page/submit_issue if @cbowles could share his support ref then you could include that within your ticket so they can link the two issues quickly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, cbowles, for confirming the problem and filing the bug report.
